Abstract:

Purpose - The purpose of this paper is to examine the application of the European General Data Protection Regulation (GDPR) to Greek companies. The research investigated the positive and negative impact of the implementation of the Regulations, 18 months after the new legislation went active, regarding technological, organizational and legal issues.

Design/methodology/approach – For this research first step was the study of existing literature. Then, questionnaires were distributed to companies liable to the GDPR for the collection of quantitative data. Finally, a conduct research was made in a company that offers records management services trying to bring the services in compliance with GDPR.

Findings – The above procedures have yielded significant findings regarding the actual implementation of GDPR in the companies and the technological and organizational issues that took place and need to be resolved.

The most important outcomes from this research is a) that the companies are in need for more guidance from the competent authorities in the field of data protection, b) there is a significant cost required to implement the changes in organizational structures and c) the important role of the Data Protection Officer (DPO).

uthority for the protection of personal data. (n.d.-b). Citizens' rights under the GDPR. Retrieved from https://www.dpa.gr/portal/page?_pageid=33,209342&_dad=portal&_schema=PORTAL

Authority for the protection of personal data. (n.d.-c). Data Protection Officer (DPO). Retrieved from https://www.dpa.gr/portal/page?_pageid=33,211475&_dad=portal&_schema=PORTAL

European data protection board. (2018, April 20). Role of the NSRF - European Data Protection Board. Retrieved July 7, 2019, from European Data Protection Board website: https://edpb.europa.eu/role-edpb_el

European Data Protection Supervisor (EDPS) | European Union. (2016). European Union. Retrieved from https://europa.eu/european-union/about-eu/institutions-bodies/european-data-protection-supervisor_el

European Parliament, & Council of Europe. (1995). Directive 95/46 / EC on the protection of individuals against the processing of personal data and the free movement of such data.

Guidelines of Article 29 of the Working Group on Data Protection Officers WP 243 rev.01 Group for the Protection of Persons against the Processing of Personal Data. (2018, January 24). Retrieved from Lawspot website: https://www.lawspot.gr/nomikes-plirofories/loipa-nomika/kateythyntiries-grammes/kateythyntiries-grammes-omadas-ergasias-0

PIAF: A Privacy Impact Assessment Framework for Data Protection and Privacy Rights. › Research Explorer. (2020). In Cris.vub.be. Retrieved from https://cris.vub.be/en/projects/piaf-a-privacy-impact-assessment-framework-for-data-protection-and-privacy-rights(6f397a97-834e-4ff7-b44e-52df1cf020d2).html)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons against processing of personal data and for the free circulation of this data and the abolition of Directive 95/46 / EC (General Data Protection Regulation). (2016). Official Journal of the European Union. Retrieved from http://data.europa.eu/eli/reg/2016/679/oj

SAS. (2018). GDPR compliance in a data-driven world Insights from a 2018 survey. Retrieved from Statistical Analysis System (SAS) website: https://www.sas.com/content/dam/SAS/en_us/doc/whitepaper1/gdpr-compliance-109048.pdf

SEV. (2018). The General Data Protection Regulation (GDPR): opportunities and challenges for businesses in the digital age. Economy and Business. Retrieved from https://www.sev.org.gr/Uploads/Documents/50953/SPECIAL%20REPORT_14_3_2018.pdf

General Data Protection Regulation. (2016). Retrieved from eur-lex.europa.eu website: http://data.europa.eu/eli/reg/2016/679/oj